Andrew Retrum

Managing Director

Andrew Retrum is a Managing Director within Protiviti’s Technology Consulting Practice and the Global Technology Risk & Resilience Practice Co-Lead.

Andrew assists our clients in navigating an ever-evolving risk landscape, managing cyber and evolving technology risks and helping our clients better understand, communicate, and respond and recover from adverse events. 

Andrew has led Cyber Program Offices for several large institutions as part of broader business transformation efforts. He is an advocate for the adoption of the FAIR Methodology as an alternative method of IT Risk Management and thought leader on recent cybersecurity regulatory matters. Most recently, he is partnering with key trade associations within the financial sector to help craft the global response on the topic of Operational Resilience. Prior to joining Protiviti as a founding member in 2002, Andrew spent his career at a “Big 5” Public Accounting firm in the Technology Risk Consulting practice.


  • Major Projects  (replace current content with the below)
  • Led Protiviti efforts in partnering with SIFMA on Cybersecurity and resilience related matters impacting the financial sector, including leading the last two sectorwide Cybersecurity exercises (Quantum Dawn V and VI)
  • Supported many large financial services clients in addressing on-going cybersecurity and resilience program challenges
  • Led a multi-year relationship with a large insurance company to support the security and information risk function as the enterprise went through a client first transformation. Areas of focus included Application Security, Identity Management, Cloud Security, Vendor Management, IT Risk Management and GRC
  • Assisted client in prioritising and planning key infrastructure and security activities for $300M merger program
  • Led an engagement to help a company prepare for New York Department of Financial Services (NY DFS) Cybersecurity Attestation, including specific efforts to complete an enterprise-wide risk assessment in line with requirement 500.09
  • Oversaw General Data Protection Regulation (GDPR) readiness review and compliance roadmap for a global technology and communications organisation
  • Leveraging Agile, and other similar frameworks, to help both our clients and our engagement delivery clear value more efficiently and effectively
  • Led Cybersecurity transformation efforts at several clients, evolving to target states aligned to their organisational risk profile


  • Technology Risk
  • Security Program & Strategy
  • Operational Resilience


  • Financial Services


  • B.S. Management Information Systems, University of Illinois in Urbana-Champaign
  • Executive M.B.A., Securities Industries Institute, The Wharton School (2023)